'Heartbleed' Security Flaw Exposes Millions Of Passwords

Experts have discovered a major flaw in the security software used by millions of websites. “Heartbleed,” as the vulnerability has been dubbed, is a bug that affects OpenSSL, a software that operates about two-thirds of all web servers.

OpenSSL is behind many sites that collect personal or financial information such as passwords, credit card info and emails. Although researchers discovered the coding error last week, the problem has been present for more than two years.

And are you one of millions wondering just how safe your online account is? Yesterday, the public found out about a big computer bug called Heartbleed, a major security breach that affects software used by millions of websites, maybe ours, maybe yours and definitely maybe one you visited that collects personal and financial information. Today, we've been hearing change your password. No, don't change your password. NPR's technology correspondent Steve Henn joins us now. Steve, welcome.

STEVE HENN, BYLINE: Thanks for having me.

YOUNG: And first, it does sound very dramatic, Heartbleed. What does it do?

HENN: This bug affects an encryption program known as OpenSSL. And SSL was probably the most widely used type of encryption on the Internet. As you said, it's used by millions of websites, including banks, Google, Facebook, Yahoo, many e-commerce sites. It's also used by virtual private networks, VPNs, and has even been embedded into devices on the so-called Internet of things. So the fact that this software protocol is vulnerable isn't a good thing.

YOUNG: Well, Steve, let me ask you probably a stupid question, but you say it's embedded. How do we know? Is there a way someone can know if they have this?

HENN: Well, yeah. That's a tough question to answer. So we're going to post a couple of links on HERE AND NOW that will let you know if the websites you're visiting may have been vulnerable in the past. And we're also going to post a link to a site that will test the website, actually try to exploit this vulnerability and let you know if the site is vulnerable now. But the thing about Heartbleed is it's not a virus. It's a bug that was a programming mistake that went unnoticed in the software for several years. It's been out in the wild for at least two years.

The way it works is that computers and Web servers when they're talking over these encrypted connections have to send out little messages to make sure they're still connected. They're called heartbeats. And, really, that short message is just supposed to say hi, are you there, and then get a response. But researchers discovered that they could use that heartbeat to trick a Web server into sending back the contents of the server's short-term memory or RAM.

Anything that a computer was working on, a server was working on could be included in that bigger message, and that includes things like user names, passwords, credit card information and, most damaging, even the private encryption keys for the entire site, sort of the keys to the kingdom.

YOUNG: So what would one of the effects of that be? Maybe you don't even know that your information has been taken.

HENN: Right. You wouldn't know that the information has been taken. And most damaging, the website that was the victim of this kind of attack would have no idea it happened. And they can't really go back and figure that out. So that's one of the things that has security professionals most worried. This flaw has been out there. There's some evidence that bad actors have known about it and have been exploiting it, but no one can say for sure if their site has been attacked or not. So that brings us to the question of what can you do?

YOUNG: And what is the answer, because we were hearing people say this morning, you must change your passwords, but then hearing other people say do not change your passwords?

HENN: Right. Well, one of the issues is that until the sites you're interacting with actually patch this problem and close the bug, changing your password won't do any good. And, in fact, changing your password on a site that's being exploited right now just makes your new password vulnerable again. I'd say wait a couple of days. And then if you interact with sites that have truly valuable information about you, things like banks, and you think they may have been vulnerable to this attack in the past, it's probably worth it to go ahead and change your password. But you don't need to rush out right now and change everything.

YOUNG: Right. But what probably people should do is go to hereandnow.org and check out those links that you mentioned to see if websites they've gone to might have been bugged.

HENN: Right. There'll be two links on the page. One will show you if the site may have been vulnerable in the past. The next will show you if it's vulnerable right now.